.TH yara 1 "September 22, 2008" "Victor M. Alvarez"
.SH NAME
yara \- find files matching patterns and rules written in a special-purpose language.
.SH SYNOPSIS
.B yara 
[OPTION]... [RULEFILE]... FILE | PID
.SH DESCRIPTION
.I Yara 
scans the given 
.I FILE
or the process indentified by
.I PID
looking if it matches the patterns and rules provided in a special purpose-language. The rules are read from 
.I RULEFILEs 
or standard input.
.PP
The options to
.IR yara (1)
are:
.TP
.BI \-t " tag"
Print rules tagged as
.I tag
and ignore the rest. This option can be used multiple times.
.TP
.BI \-i " identifier"
Print rules named
.I identifier
and ignore the rest. This option can be used multiple times.
.TP
.B \-n
Print rules that doesn't apply (negate)
.TP
.B \-g 
Print the tags associated to the rule.
.TP
.B \-m 
Print metadata associated to the rule.
.TP
.B \-s
Print strings found in the file.
.TP
.BI \-l " number" 
Abort scanning after a
.I number
of rules matched.
.TP
.BI \-d " identifier"=value
Define an external variable. This option can be used multiple times.
.TP
.B \-r 
Scan files in directories recursively.
.TP
.B \-f 
Speeds up scanning by searching only for the first occurrence of each pattern.
.TP
.B \-v 
Show version information.
.SH EXAMPLES
$ yara /foo/bar/rules1 /foo/bar/rules2 .
.RS
.PP
Apply rules on
.I /foo/bar/rules1
and
.I /foo/bar/rules2
to all files on current directory. Subdirectories are not scanned.
.RE
.PP
$ yara -t Packer -t Compiler /foo/bar/rules bazfile
.RS
.PP
Apply rules on
.I /foo/bar/rules
to 
.I bazfile.
Only reports rules tagged as
.I Packer
or
.I Compiler.
.RE
.PP
$ cat /foo/bar/rules1 | yara -r /foo 
.RS
.PP
Scan all files in the
.I /foo
directory and its subdirectories. Rules are read from standard input.
.RE
.PP
$ yara -d mybool=true -d myint=5 -d mystring="my string" /foo/bar/rules bazfile  
.RS
.PP
Defines three external variables 
.I mybool
.I myint 
and
.I mystring.
.RE

.SH AUTHOR 
Victor M. Alvarez (victor.alvarez@virustotal.com) 
